I have a simple form that sends email using mail(). there are only 4 fields.
first name, last name, email address, message

I plan on validating for the email addres, and to strip tags in the message. but how much validation does anyone think the other fields need? I'm more concerned with spamming.

thanks for any opinions,
c.c.

meth

05-29-2007, 11:35 PM

There's 2 types of spambots to check for; email and links. Email spambots will try to inject additional mail addresses to send to in the mail headers. Link spambots will try to submit the form with 10 to 20 links in the message.

To combat email spam, do stristr() searches on the POST values for 'CC:', 'BCC:', 'Content-Transfer-Encoding:', 'Subject:', 'Content-Type' and 'MIME-Version'. If any of these strings are found, you have a spambot or a tester feeling out your form for exploitability. I'd advise doing a header('Location: http://spam.abuse.net/'); if any of these strings are found.

To check for link spamming, do stristr() searches on the POST values for '=http:', '="http:', and '= http:'. How you proceed with search results is up to you. If the string is found 10 or more times, I consider this spam and send the user on their way to spam.abuse.net. For <10 hits however, my preference is to just output a message to the user to format the message with links as plain text, no html.

ClubCosmic

05-30-2007, 12:03 AM

Thank you for your reply. I never ran into the need for this kind of validation before and always like to be secure with forms and input.

ClubCosmic

05-30-2007, 02:37 AM

I've fixed the code up some but i now realize i can't use an array as the 2nd argument in
function ValSpam(){
$array = array('cc:', 'bcc:', 'content-transfer-encoding:', 'subject:', 'content-type:', 'mime-version:', '=http:', '="http:', '= http:');
foreach ($_POST as $value){
if (stristr($value, $array)){
echo '<font color="red"><b>Sorry</b></font><p>';

i can do 1 argument at a time but not search through the array for it.